Cleaning WordPress after it has been compromised

So your WordPress installation has been compromised and it continues to be attacked on an ongoing basis, and now you are starting to get frustrated. What steps can you do to protect yourself from these attacks ? We’ll take a look at how you can protect your website going forward, and to avoid getting having to take your website offline for maintenance. Remember, if you fail to clean your WordPress website properly, it’s likely that the hackers have left a backdoor so they can reinfect your website when every they want. For this reason you need to identify any files that are present that shouldn’t.

Through BloggingSupport.com we offer services to maintain WordPress sites. Often customers come to us when their website has been compromised, due to failing to upgrade for a long time, or having insecure WordPress plugins.

Knowing you are hacked

Often customers don’t know they are hacked until something more serious happens, like they start to loose web traffic or their domain gets banned from sending email. We recommend that you do a domain search on google with site:yourdomain.com to see if any additional pages have been added to your website.

In the case that the hacker is using your site to send SPAM, make sure that bounce messages are sent to some address that you monitor on a regular basis. These hackers can send thousands of emails an hour via your compromised website and will get you on a blocked list. You can check the status of your server IP address or domain name on these two websites SpamHaus Lookup & MXToolBox Blacklists.

Update your WordPress plugins

As a general rule we recommend that you only use the minimum amount of plugins, and make sure that the plugins you or your web-developer has chosen are actively updated. It’s often the case that vulnerabilities are discovered in these plugins and hackers blindly test your website to see if you have the certain plugin installed.

Update your WordPress site

It goers without saying that you should also keep up to take with WordPress updates. Updating is straight forward (or you can hire us to update it for you), but you do need to check if everything is still working once you update. We do a run through of a website’s main features, like checking the contact form, search functions, commenting , etc.

WordPress powers over 20% of the internet, and for this reason it’s an interesting attack vector for hackers.

Cleaning WordPress

If your website has been hacked, the first step is to change your password, and to check to see if any extra users have been added to your site. Dashboard > Users > All Users.

Check to see if there are any new plugins that you don’t recognise. Plugins > Installed Plugins

Often these hacks will add some extra files to your WordPress installation. The easiest thing to do is to re-upload a safe version of WordPress. We recommend that you delete the contents of /wp-admin/ & /wp-includes/ (often there are rough files named ‘admin.php‘ , ‘options.php‘ that might be here. Delete all the PHP files in your main directory except for wp-config.php.

Check file edit dates

If you know your way around an FTP client, it’s worth checking folders. Keep an eye out for files that have an unusual update date. Generally your WordPress files should all have a similar update date, where as rogue files will probably have been added at a different time.

Check your /wp-content/ folder for any extra files. It should only contact 1 file, index.php & subfolders /plugins/, /themes/, /upgrade/ & /upload/ check these for files that have been edited or added at strange times.

In /wp-content/themes/ you should remove any themes that you no longer need. You should also check the contents of these files for PHP code the has hidden what it does search for functions like ‘base64_decode’ or ‘eval’.

Use WordPress Exploit Scanner plugin

WordPress Exploit Scanner is a useful plugin that will perform many of the steps we’ve highlighted above. It will also check the database that runs your site. We recommend that you run this on a regular basis.

WordPress is a great platform to use for websites, but like any software it needs to be maintained. Failing to keep the software up-to-date means that your website is more likely to be compromised which may result in you having to take your website offline for a bit of time to fix.

4 Comments

Excellent post, I would only add two things:
– if you know your way around MySQL it may be worth checking the database for any unusual and unfamiliar additions, as well as changing the password of your database that the WordPress site is running on. To prevent further hacking attempts on the database level, you may also want to change the admin user ID to something different from 1 (should be changed in all tables referring to it) and renaming the admin user into something else less obvious;
– if you are not sure how you have been hacked you may want to talk to your host as it may have been a shell level attack and then all your files, themes and plugins would be intact, as well as the database, but there will still be parasite pages on the server ( in this case, not just on your site but on all others hosted on the same server) – but thus goes a bit beyond the topic of fixing hacked WordPress.

Paul
With all the unknown flaws in WordPress plugins is it time for people serious about security to look at a different cms. WordPress seems to be such a huge target now its so popular and even if you keep it fully updated and use the likes of wordfence your still open to entry level coders running lfi or injections against your plugins and finding new flaws.

Hi Trev, thanks for stopping by. It’s sad to say it but any popular CMS is a target. The one thing about WordPress is that they are pretty good with updates. Where a lot of issues are caused, I’ve seen, is with 3rd party plugins that are susceptible to XSS attacks, and they allow an easy back door into your WP install.